Exploit?

[Greg Bartlett]

Someone registered an account on my forum today, and posted this URL:

http://www.orangepower.com/account-confirmation/9374/email?c=92c010ee8bcbc552

What this does to anyone who clicks it, is makes them reset their password, then emails the password to the spammer. Quite a few people fell for it.

Any way to prevent this?

 

[Mike]

I don't see how that link can do that - it's for confirming your email is valid. It doesn't touch passwords at all.

Additionally, the link can only work once, and only for the user ID specified in the URL.

 

[Kier]

Mike's right, the link simply does not and can not do what you describe.

 

[Greg Bartlett]

Mike's right, the link simply does not and can not do what you describe.

Thanks, being an admin, I didn't dare click on it.. but the user base was going nuts.

Appreciate it and all the work you both do.

 

[Floris]

Can't control those who assume incorrectly
If they follow the link and the "hacker" gets the password, something else is going on that has nothing to do with xenforo's core product.

 

[James]

Are you sure that's the link and not just a masquerade?

www.microsoft.com <- google

 

[Kier]

Are you sure that's the link and not just a masquerade?

www.microsoft.com <- google

It's a pretty specific, and suspicious-looking link to use as a masquerade though isn't it? Wouldn't this be much better?

http://xenforo.com/community/threads/cute-fluffy-kittens.1138/

 

[ragtek]

[ot]Isn't it much better with url shorteners? [/ot]

 

[EQnoble]

damn it. I just got rick rolled.

 

[Kier]

damn it. I just got rick rolled.

Oh no! How?

 

[EQnoble]

Oh no! How?

Gee ...let...me...think...